cleantalk
Vulnerabilities and Security Researches

Orbit Fox by ThemeIsle, CVE-2026-11358

CVE, Research URL

CVE-2026-11358

Home page URL

Security reports for Orbit Fox by ThemeIsle

Application

Orbit Fox by ThemeIsle

Published on
Jun 18, 2026
Research Description
The Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.0.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Affected versions
max 3.0.7.
Status
vulnerable
Previous vulnerability researches
CF7 to Webhook (CVE-2026-11395) , Jun 19, 2026
New vulnerability
Appointment Booking Calendar (CVE-2026-12111) , Jun 19, 2026
Melhor Envio (CVE-2026-54804) , Jun 19, 2026
SlimStat Analytics (CVE-2026-54818) , Jun 19, 2026
Clean Login (CVE-2026-54184) , Jun 19, 2026
Image Optimization by Optimole – Lazy Load, CDN, Convert WebP & AVIF (CVE-2026-11784) , Jun 19, 2026